Browse code

[tls] Don't use OpenSSL<1.0.2 fallback on 1.1+

Address GH #2716. Also see https://bugs.python.org/issue29697.

(cherry picked from commit 27904530d1f8efd26e2b96fa5f18a3aad887919b)

SPChan authored on 27/04/2021 16:51:22 • Daniel-Constantin Mierla committed on 29/04/2021 13:01:25
Showing 1 changed files
... ...
@@ -57,8 +57,12 @@ extern EVP_PKEY * tls_engine_private_key(const char* key_id);
57 57
  * ECDHE is enabled only on OpenSSL 1.0.0e and later.
58 58
  * See http://www.openssl.org/news/secadv_20110906.txt
59 59
  * for details.
60
+ * Also, copied from _ssl.c of Python for correct initialization.
61
+ * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
62
+ * prime256v1 by default.  This is Apache mod_ssl's initialization
63
+ * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
60 64
  */
61
-#ifndef OPENSSL_NO_ECDH
65
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
62 66
 static void setup_ecdh(SSL_CTX *ctx)
63 67
 {
64 68
    EC_KEY *ecdh;
... ...
@@ -69,11 +73,15 @@ static void setup_ecdh(SSL_CTX *ctx)
69 73
    }
70 74
 #endif
71 75
 
76
+#if defined(SSL_CTX_set_ecdh_auto)
77
+   SSL_CTX_set_ecdh_auto(ctx, 1);
78
+#else
72 79
    ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
73 80
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
74 81
    SSL_CTX_set_tmp_ecdh(ctx, ecdh);
75 82
 
76 83
    EC_KEY_free(ecdh);
84
+#endif
77 85
 }
78 86
 #endif
79 87
 
... ...
@@ -691,7 +699,7 @@ static int set_cipher_list(tls_domain_t* d)
691 699
 					tls_domain_str(d), cipher_list);
692 700
 			return -1;
693 701
 		}
694
-#ifndef OPENSSL_NO_ECDH
702
+#if !defined(OPENSSL_NO_ECDH) && !defined(OPENSSL_VERSION_1_1)
695 703
                 setup_ecdh(d->ctx[i]);
696 704
 #endif
697 705
 #ifndef OPENSSL_NO_DH